BADCANDY web shell on Cisco IOS XE (CVE-2023-20198) — what Cisco users must know
BADCANDY web shell on Cisco IOS XE (CVE-2023-20198) has exposed countless edge devices to high risk. Since October 2023 attackers have leveraged this Lua-based web shell against vulnerable web UI installations. As a result, organizations running Cisco IOS XE face remote, unauthenticated privilege escalation. Because the flaw ties to the ip http server and ip http secure-server features, many default setups remain vulnerable. Therefore, credential exfiltration and the creation of highly privileged accounts became practical objectives for adversaries.
Although the implant does not survive a reboot, attackers often apply non-persistent patches to hide compromise. However, they may also steal credentials or establish other persistence mechanisms after access. ASD and Cisco advisories report sustained, widespread exploitation and provide fixed releases and mitigation guidance.
For Cisco administrators this vulnerability demands urgent attention, because re-exploitation continued into 2025. In this guide we outline detection strategies, incident response steps, and hardening recommendations to reduce exposure. Ultimately, understanding BADCANDY threats and applying patches like 17.9.4a along with ACL controls will limit future risk.
BADCANDY web shell on Cisco IOS XE (CVE-2023-20198)
BADCANDY is a Lua-based web shell that attackers install on exposed Cisco IOS XE web UIs. Because of a critical privilege escalation flaw, adversaries can install the implant without authentication. Cisco documents this as CVE-2023-20198 and provides mitigation and patch details: Cisco Security Advisory. As a result, compromised devices can receive highly privileged accounts and hidden modifications.
Exploitation requires the web UI feature to be enabled. Specifically, the device must run ip http server or ip http secure-server. Cisco offers technical FAQs detailing detection and configuration steps: Cisco TAC Technical FAQs. Therefore, default or loosely configured systems face higher risk.
Key characteristics and technical insights
- Lua-based web shell that executes commands through the web UI and backdoors admin functions
- Remote unauthenticated privilege escalation leading to creation of privilege level 15 accounts
- Requires web UI enabled via ip http server or ip http secure-server
- Implant does not persist after reboot, however attackers often exfiltrate credentials first
- Adversaries deploy non-persistent patches to mask compromises and hinder detection
- Campaign active since October 2023 with renewed activity through 2024 and 2025
- Reported compromises in Australia include over 150 devices, with broader impacts noted: The Hacker News Report
- Espionage actor SALT TYPHOON has been linked to this vector, therefore prioritize network isolation and credential rotation
Understanding how BADCANDY abuses the web UI helps prioritize patches, ACLs, and monitoring.
Mitigation and Cisco response: BADCANDY web shell on Cisco IOS XE (CVE-2023-20198)
Cisco assigned high priority to CVE-2023-20198 and published fixes and guidance. Cisco lists fixed releases including 17.9.4a, 17.6.6a, 17.3.8a, and 16.12.10a. For details and advisory text, see the Cisco security advisory: Cisco Security Advisory. Therefore, applying vendor updates remains the single best defense.
Recommended immediate actions
- Apply Cisco patched releases as soon as maintenance windows allow
- If patching is delayed disable the web UI using
ip http serverorip http secure-server - Enforce access control lists to limit web UI access to trusted IPs
- Rotate all privileged credentials and invalidate suspected API keys
- Reboot devices after cleanup because the implant does not survive a reboot
- Conduct integrity checks and restore known good configurations where needed
- Monitor management plane logs and alert on new high-privilege account creation
Further hardening and response
Additionally, segment management networks and require multifactor authentication for admins. Moreover, use centralized logging and EDR where possible to detect non-persistent post-exploit artifacts. If you need help, engage Cisco TAC and follow TAC technical guidance: Cisco TAC Technical Guidance. Finally, document incidents and notify stakeholders promptly to reduce downstream risk.
Affected versions and patches: BADCANDY web shell on Cisco IOS XE (CVE-2023-20198)
| IOS XE train | Typical products | Affected baseline versions | Fixed release (patched build) | Advisory and details | Upgrade recommendation |
|---|---|---|---|---|---|
| 17.9.x | Newer enterprise routers and switches | Vulnerable 17.9 releases prior to patch | 17.9.4a | Advisory Details | Upgrade to 17.9.4a or later during next maintenance window; test configs first |
| 17.6.x | Long term support enterprise platforms | Vulnerable 17.6 releases prior to patch | 17.6.6a | Advisory Details | Apply 17.6.6a if on 17.6 train; if unable, disable web UI and restrict management ACLs |
| 17.3.x | Older enterprise switches and routers | Vulnerable 17.3 releases prior to patch | 17.3.8a | Advisory Details | Plan upgrade to 17.3.8a or migrate to a supported train with patches |
| 16.12.x | Catalyst and legacy platforms | Vulnerable 16.12 releases prior to patch | 16.12.10a | Advisory Details | Install 16.12.10a for affected platforms or isolate devices behind management ACLs |
Notes: for configuration guidance and TAC FAQs see Cisco TAC FAQs. If immediate patching is not possible, disable ip http server and ip http secure-server and rotate privileged credentials.
Conclusion: BADCANDY web shell on Cisco IOS XE (CVE-2023-20198)
The BADCANDY web shell on Cisco IOS XE (CVE-2023-20198) shows how a single web UI flaw can expose high-value networking gear. Because attackers exploited the web UI, they gained remote, unauthenticated privilege escalation. However, the implant itself does not persist after a reboot, yet adversaries often exfiltrate credentials and add covert changes. Therefore, the campaign demands rapid detection and decisive response.
Apply vendor fixes and follow hardening guidance as a priority. Cisco published patched releases such as 17.9.4a, 17.6.6a, 17.3.8a, and 16.12.10a, and administrators should upgrade where possible. If immediate patching proves impossible, disable the web UI, restrict access with ACLs, rotate credentials, and monitor management logs. Additionally, rebooting cleaned devices eliminates the non-persistent implant and helps regain a known state.
Good security hygiene reduces re-exploitation risk. Segment management networks, enforce multifactor authentication, and centralize logging and alerting. Moreover, engage Cisco TAC for complex incidents and document all recovery steps.
For organizations exploring smart tech solutions beyond infrastructure security, Velocity Plugins specializes in AI-driven WooCommerce plugins. Visit Velocity Plugins to learn how their tools can boost conversions and lower support costs, while you focus on securing core network assets.
Frequently Asked Questions (FAQs)
What is the BADCANDY web shell on Cisco IOS XE (CVE-2023-20198)?
It is a Lua-based web shell attackers deploy via a Cisco IOS XE web UI bug. Because the flaw allows unauthenticated privilege escalation, attackers can create highly privileged accounts and run admin actions.
How does it impact Cisco devices?
Compromised devices can host backdoors, leak credentials, and enable lateral movement. However, the implant does not persist after reboot, though attackers often exfiltrate credentials first.
How can I prevent infection?
- Apply Cisco patches immediately.
- Disable the web UI if not needed using ip http server commands.
- Therefore, restrict management access with ACLs and isolated management networks.
- Additionally, enforce strong passwords and multifactor authentication.
How do I detect and respond to an active compromise?
Monitor management plane logs for new high-privilege accounts and unusual web UI activity. Perform integrity checks, rotate credentials, and reboot affected devices. As a result, you remove the non-persistent implant and reduce further access.
What if I cannot patch right away?
Disable ip http server and ip http secure-server. Restrict access via ACLs, rotate all privileged credentials, and increase logging and alerts. Engage Cisco TAC for complex investigations.
